From 35155ce14fc3884fcee2965f0e9e7a52210ae6b5 Mon Sep 17 00:00:00 2001 From: Arseniy Obolenskiy Date: Wed, 22 Oct 2025 20:41:24 +0200 Subject: [PATCH] Fix Token-Permissions OpenSSF remarks --- .github/workflows/codeql.yml | 3 +++ .github/workflows/labeler.yml | 3 +++ .github/workflows/mac.yml | 3 +++ .github/workflows/perf.yml | 4 ++++ .github/workflows/pre-commit.yml | 4 ++++ .github/workflows/static-analysis-pr.yml | 4 ++++ .github/workflows/ubuntu.yml | 9 +++++++++ .github/workflows/windows.yml | 3 +++ 8 files changed, 33 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 13747aaec..dddd0ad7a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,6 +5,9 @@ on: - cron: '0 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index bcd35e6ec..83b471cf9 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,6 +3,9 @@ name: "Label PRs" on: - pull_request_target +permissions: + contents: read + jobs: label-pull-requests: runs-on: ubuntu-24.04 diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml index 7b04a6b6e..8d821ce63 100644 --- a/.github/workflows/mac.yml +++ b/.github/workflows/mac.yml @@ -1,6 +1,9 @@ on: workflow_call: +permissions: + contents: read + jobs: clang-build: runs-on: macOS-latest diff --git a/.github/workflows/perf.yml b/.github/workflows/perf.yml index ba87df9b5..797039d77 100644 --- a/.github/workflows/perf.yml +++ b/.github/workflows/perf.yml @@ -1,6 +1,10 @@ on: workflow_call: +permissions: + contents: read + packages: read + jobs: ubuntu-gcc-build-perf-stats: runs-on: ubuntu-24.04 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 6fa2ed6b3..caaa8562d 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -5,6 +5,10 @@ on: pull_request: workflow_call: +permissions: + contents: read + packages: read + jobs: pre-commit: runs-on: ubuntu-24.04 diff --git a/.github/workflows/static-analysis-pr.yml b/.github/workflows/static-analysis-pr.yml index 474794438..5adc81916 100644 --- a/.github/workflows/static-analysis-pr.yml +++ b/.github/workflows/static-analysis-pr.yml @@ -19,6 +19,10 @@ concurrency: github.event_name != 'merge_group' && !startsWith(github.ref, 'refs/heads/gh-readonly-queue') }} +permissions: + contents: read + packages: read + jobs: clang-tidy: runs-on: ubuntu-24.04 diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 598e36719..8fd201aa2 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -1,6 +1,10 @@ on: workflow_call: +permissions: + contents: read + packages: read + jobs: gcc-build: runs-on: ${{ matrix.os }} @@ -330,6 +334,11 @@ jobs: - gcc-test-extended - clang-test-extended runs-on: ubuntu-24.04 + permissions: + contents: read + packages: read + issues: write + pull-requests: write container: image: ghcr.io/learning-process/ppc-ubuntu:1.1 credentials: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index eb067fb0e..899c21bbc 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,6 +1,9 @@ on: workflow_call: +permissions: + contents: read + jobs: msvc-build: runs-on: windows-latest